Challenges

4.1: IP Address (5 pts)

Explore source types associated with login, with a small number of events. Find events on that day and look at their IP addresses.

4.2: Signature (5 pts)

Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)

Hints:

Search for Cerber -- you find 21,596 events.

Examine the source field -- there are 4 values.

Explore the source type associated with Suricata.

4.3: FQDN (15 pts)

What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase?

Hints:

Examine the five Suricata alerts about Cerber. View them as "raw text" in time order.

Find a time delay and the domain lookup events after it. Note the time of those events.

Search events near that time. Examine the source values, as shown below. Examine Suricata events (which are more numerous than alerts).

4.4: Suspicious Domain (15 pts)

What was the first suspicious domain visited by we8105desk on 24AUG2016?

Hints:

Find the Suricata events on that day. There are 86,579 of them.

Examine the src_ip field. Restrict your query to the desired value.

Examine the event_type field. Restrict your query to events that load Web pages. There are 38 of them.

Examine the hostnames visited. There are ten of them. Investigate them with Google and find the one that's known to be malicious.

4.5: VB Script (15 pts)

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is name of the first function defined in the VB script?

Hints:

Search for events with both a VB filename extension and an .exe extension.

Read the events to identify normal ones and find the suspicious ones.

4.6: VB Script (15 pts)

During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?

Hint:

Find the length of the Splunk field, not the length of the script itself.
This may be helpful.